Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3591944 by rat5ak
A heap-use-after-free occurs in smb_send_open() at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smb_parse_url_path() sets req->path as a non-owning pointer into smbc->share (connection-owned memory). During connection reuse, the needle connection is freed via Curl_conn_free() → smb_conn_dtor(), which frees smbc->share, but req->path (on the easy handle) still references the freed buffer. The subsequent strlen(req->path) in smb_send_open() reads freed heap memory.
curl 8.19.0-DEV (master branch, built March 8 2026) Platform: Ubuntu 22.04 on x86_64 (WSL2) Built with: gcc, OpenSSL, --enable-smb, -fsanitize=address
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In